MeshCentral - Increased Security Installation

syko24

Are you guys using this recommendation on your installs? This is from section 6.8 in the online manual. I am trying to understand the added benefit to this install method or in the end is it just a headache.

On Debian based Linux distributions like Ubuntu, a better and more secure way to install MeshCentral is to have it run 
within a user account this restricted privileges.

scottalanmiller

We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.

syko24

@scottalanmiller said in MeshCentral - Increased Security Installation:

We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.

When you say it is isolated, do mean that it is on a vlan or you guys are hosting it offsite on Vultr or similar and it does not have access to your internal systems?

Dashrender

@syko24 said in MeshCentral - Increased Security Installation:

@scottalanmiller said in MeshCentral - Increased Security Installation:

We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.

When you say it is isolated, do mean that it is on a vlan or you guys are hosting it offsite on Vultr or similar and it does not have access to your internal systems?

Lol none of that stuff really matters as much because at the jacked point you now have remote access to all of the machines it connects to.

syko24

@Dashrender said in MeshCentral - Increased Security Installation:

@syko24 said in MeshCentral - Increased Security Installation:

@scottalanmiller said in MeshCentral - Increased Security Installation:

We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.

When you say it is isolated, do mean that it is on a vlan or you guys are hosting it offsite on Vultr or similar and it does not have access to your internal systems?

Lol none of that stuff really matters as much because at the jacked point you now have remote access to all of the machines it connects to.

True but I thought @scottalanmiller had said at one time they use it for on-demand access and not unattended

scottalanmiller

@syko24 said in MeshCentral - Increased Security Installation:

@scottalanmiller said in MeshCentral - Increased Security Installation:

We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.

When you say it is isolated, do mean that it is on a vlan or you guys are hosting it offsite on Vultr or similar and it does not have access to your internal systems?

It has no access to anything, it's a fully independent VM. We are LANless, nothing talks to anything else on a LAN.

dafyre

@scottalanmiller said in MeshCentral - Increased Security Installation:

@syko24 said in MeshCentral - Increased Security Installation:

@scottalanmiller said in MeshCentral - Increased Security Installation:

We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.

When you say it is isolated, do mean that it is on a vlan or you guys are hosting it offsite on Vultr or similar and it does not have access to your internal systems?

It has no access to anything, it's a fully independent VM. We are LANless, nothing talks to anything else on a LAN.

However, if somebody exploits an unknown vulnerability to get access to the application, they could connect to any of your clients that are connected.

Edit: If they crash the application and get access to the server, that is still a concern, but not as big of a concern of gaining access to the application.

scottalanmiller

@dafyre said in MeshCentral - Increased Security Installation:

However, if somebody exploits an unknown vulnerability to get access to the application, they could connect to any of your clients that are connected.

Yes, but that would happen regardless of the running as root issue. That's certainly a risk that every remote access system worries about. But not one related to this specific topic.

scottalanmiller

@dafyre said in MeshCentral - Increased Security Installation:

Edit: If they crash the application and get access to the server, that is still a concern, but not as big of a concern of gaining access to the application.

Right, the only reason to want access to the server is to get access to the app. The app is literally the only thing worth anything on the box.